About Alec

Alec Bass, CISSP

Alec Bass, CISSP

Thank you for visiting my website! This page offers a brief sketch of the person behind the website.

Professional Experience

Information Security

I’ve been successful in information security, system administration and programming (see my resume).  However, since 2000, I have dedicated my career to information security.

I collaborate with business units to help manage information risk so that they can make an informed decision to keep total risk (information risk is one facet) at an acceptable level. I am not a gate that simply approves or disapproves initiatives based on information security dogma.

For example, to stay competitive, a company might consider engaging a third-party’s specialized application in The Cloud to process confidential information. Due to the highly competitive nature of their business, the company cannot afford the time required to develop, test, and implement a custom application. I would assess the risk to the information that the third-party would process and suggest methods to mitigate the risk.  Business units would factor my analysis into the overall risk analysis of using the third-party.

I would not try to stop the company from using the third-party simply because the company would lose direct control of how the confidential information is protected.

I take a similar collaborative approach to operational aspects of information security.  My experience as a system administrator and programmer allows me to work well with technical staff.  I understand their priorities and mindset, so I can help reduce risk and not be a burden.

For instance, system administrators could (understandably) resent receiving information security reports with nothing more than marching orders to remediate the problems. As a result, the system administrators might only remediate the problems when required by policy. Worse yet, the system administrators could (again, understandably) view Information Security as the department to avoid. This adversarial relationship would likely result in unnecessary risk in the future because Information Security was not consulted during a project.

Other Experience

(Or:  How I Became an Information Security Specialist)

In the first phase of my career, I fixed bugs in Digital Equipment Corporation’s TOPS-10 operating system and TOPS-10 /TOPS-20 print and batch subsystem.

As operating systems matured and required less day-to-day operating system level maintenance, I became a system administrator on Digital Equipment Corporation and Microsoft Windows computers, and I developed custom applications to automate tasks, such as a network port tester.

As a result of my success as a system administrator, I was asked to add administrating my company’s Internet firewalls to my duties, despite that I had no experience with networking, firewalls, or information security.  Fortunately, I used the challenging new responsibilities to learn about TCP/IP, firewalls, and the information security discipline.

I found information security so fascinating that I jumped at the first opportunity to dedicate my career to information security.